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We prove that in the BB84 quantum cryptography protocol 
Alice and Bob do not need to make random bases-choice for 
each qubit: they can keep the same bases for entire blocks 
of qubits. It suffices that the raw key consists of many such 
qubit-blocks. The practical advantage of reducing the need 
for random number is emphasized. 



The security of quantum cryptography is based 
on two main ingredients. The first one is well known: 



or - equivalcntly 
or entanglement- 



the celebrated no cloning theorem 
- Heisenberg uncertainty relations 

without- signaling [j5|. The second ingredient is also an 
absolute necessity, although often only mentioned im- 
plicitly: truly random choices on both sides. Clearly, 
quantum cryptography should use quantum randomness, 
i.e. the only physical source of true randomness. But, in 
practice this is a severe constrain, because a complete 
protocol requires a huge amount of random numbers, 
from Alice's state choices to Bob's basis choices and for 
the random choices and random permutations needed for 
error correction and privacy amplification. 

In this note we prove that the rush for quantum ran- 
dom numbers can be reduced during the quantum com- 
munication phase of the protocol without impairing on 
the security against individual attacks. The idea is the 
following: Alice and Bob use the same basis for large 
blocks of qubits (hence, here individual attacks refers to 
attacks block- by-block). During sifting, if they happen 
to have chosen different bases, the entire block is disre- 
garded. For each block Alice and Bob make new and 
independent random choices of bases. In the limit of 
large blocks, this reduces the rate at which random bits 
are needed by about one half |(|. At first sight, one may 
think that this makes Eve's life easier: she knows that 
all the qubits within a block are coded in the same basis. 
But we shall see that this is not the case: Eve's opti- 
mal attack provides her with no more Shannon informa- 
tion, for a given error rate QBER, than in the usual case 
where Alice and Bob make random base-choices for each 
qubit. Consequently, provided the raw key consists of (in- 
finitely) many blocks of qubits, the Csiszar, and J. Korncr 
theorem applies: if the mutual information Alice-Bob 
is larger than either the mutual informations Eve-Alice 
or Eve-Bob, then Alice and Bob can distil a secret key. In 
practice the mentioned many blocks should be processed 
together for error correction and privacy amplification; 
hence the block size should not be too large, if not error 
correction and privacy amplification consumes too much 



time. 

The proof that Eve can not take advantage of the fact 
that all qubits within a block are coded in the same basis 
(unknown to Eve) follows an argument given by Xiang- 
Bin ||. It runs by contradiction. Assume that, for a 
given QBER, Eve can extract an averaged information I 
per qubit of a block of length n > 2. Then, Eve can ex- 
tract at least as much information attacking each qubit 
one by one. For this she prepares n — 1 pairs of qubits 
in the singlet state. She keeps one qubit per singlet and 
uses the others to simulate a n qubit block, see Fig. 1. 
Once Alice and Bob announced the basis used for this 
block, i.e. after sifting, Eve measures the kept qubits in 
the announced basis, thus preparing effectively all the n 
qubits of the simulated block in the same basis, as illus- 
trated in Fig. 1. Hence, she can extract I information per 
qubit from the simulated block, including I information 
on the qubit sent by Alice. 

This rather simple argument is of great practical value, 
assuming that the result also holds against coherent at- 
tacks (i.e. attacks on the qubits of all blocks). Indeed, 
in realistic implementations ^] Alice sends out several 
millions of qubits per second, and the trend is clearly to- 
wards even higher rates. This implies megabits of quan- 
tum random numbers, a difficult though not impossible 
task. Reducing this factor by quasi one half, without 
reducing the security, is clearly advantageous. For exam- 
ple, in the Plug-&-Play configuration we do already send 
blocks of qubits from Alice to Bob, in order to circumvent 
Rayleigh backscattering |l0| . 

The result presented in this note softens the random 
number generation bottleneck. 



ACKNOWLEDGMENTS 

Supported by the Swiss Center "Quantum Photonics", and 
by the Swiss OFES within the frame of the European project 
RESQ. 



[1] C. H. Bennett, and G. Brassard, in Proceedings of IEEE 
International Conference on Computers, Systems and Sig- 
nal Processing, Bangalore, India (IEEE, New York, 1984) 
175. 

[2] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, Rev. 
Mod. Phys. 74, 145, 2002. 



1 



[3] W. Wootters and W.H. Zurek, Nature 299, 802 (1982); 
L. Mandel, Nature 304, 188 (1983); D. Dieks, Phys. Lett. 
A 92, 271 (1982). 

[4] N. Cerf, M. Bourennane, A. Karlsson and N. Gisin, Phys. 
Rev. Lett. 88, 127902/1-4, 2002. 

[5] N. Gisin, Phys. Lett. A, 242, 1-3, 1998. 

[6] Alice saves almost all bits used for random bases, but still 
needs the ones for the bit values. Bob saves almost all ran- 
dom bits. 

[7] I. Csiszar, and J. Korner, IEEE Trans. Inf. Theory 24, 339 
(1978). 

[8] W. Xiang-Bin, Quant-ph 0110089 

[9] D. Stiicki, G. Ribordy, A. Stefanov, and H. Zbinden, 
J. of Mod. Optics 48, 1967, 2001. Available from 
www.idQuantique.com. 
[10] G. Ribordy, J.D. Gautier, O. Guinnard, H. Zbinden and 
N. Gisin, J. Modern Optics, 47, 517-531, 2000. 



FIGURE CAPTIONS 

Eve is assumed to have a quantum machine (repre- 
sented by the unitary operator U) acting on blocks of 
n qubits plus m ancillas. After the unitary interaction 
Eve keeps her m ancillas. If Alice sends only one qubit 
(or if Eve likes to attack the qubits one- by-one), Eve can 
simulate a n-qubit block by adding to Alice's qubit the 
halfs of n — 1 singlets. After Alice and Bob announced 
the basis, Eve measures the other halves of the singlets in 
this basis, thus effectively preparing the simulated block 
as n qubits all coded in the same basis. 
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